Failure to Manage Mobile Device Results in Action under HIPAA

A recent $650,000 settlement agreement under Health Insurance Portability and Accountability Act of 1996 (HIPAA) makes it clear that an effective enterprise mobility management (EMM) solution is a requirement for compliance with the privacy and security rules of HIPAA.

On June 24, 2016, the Department of Health and Human Services’ Office for Human Rights (HHS) announced the settlement agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS). In the announcement, HHS described how the theft of a CHCS issued iPhone had compromised the protected health information (PHI) of 412 nursing home residents. Interestingly, this was the first ever resolution agreement with a “business associate” under HIPAA. And the fact that it involved a mobile device highlights the increasing importance of implementing appropriate security management controls and procedures in an increasingly mobile workplace.

Mobile Devices That Store PHI Must Be Encrypted and Password Protected

At a minimum, if a mobile device is going to have access to PHI, the device must be encrypted and password protected. In the announcement, the HHS specifically notes that “[t]he iPhone was unencrypted and was not password protected.” This was a significant issue because the iPhone contained extensive, sensitive information, including social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information.

Health care providers that allow mobile devices to access and store PHI should use mobile device management software to meet this requirement for encryption and password protection. These are basic features of a standard EMM solution and can be set as a matter of policy for all devices that may access or store PHI.

Health Care Providers Must Have Mitigation and Remediation Plans

If a mobile device is going to have access to PHI, the health care provider must also have a plan in place to mitigate the potential harm if the device is lost or stolen. In its announcement the HHS noted that “[a]t the time of the incident, CHCS had no policies addressing …what to do in the event of a security incident…” and the CHCS had no risk analysis or risk management plan. As a result, CHCS had no way to mitigate the potential disclosure of patient records on the stolen iPhone.

EMM solutions provide the tools to help design and to implement a proper risk management plan. In particular, with an EMM solution, a health care provider can immediately block access to the health care provider’s corporate network and can remotely wipe all health-care related information from the mobile device. In the case of a stolen device, EMM can also enable a wiping of the entire device (if the individual is concerned about personal data that may be on the device) and, if geolocation tracking has been enabled, can provide tools to help track down the thief.

EMM is Critical to Implementation of Mandatory Policies

The Settlement Agreement outlines the mandatory policies and practices that HHS and CHCS agree to be implemented in the wake of the HIPAA violation. It serves as a good roadmap to healthcare providers in assessing their own policies and practices. Without an EMM solution, a healthcare provider would be unable to adequately implement many of these policies, particularly those that require encryption, password management, security incident response and mobile device control. More information on how EMM solutions can assist in HIPAA compliance is available via a MobileIron White Paper on HIPAA Compliance.

Carl Spataro